(Updated 6/8/23) So, WordPress is installed, and your website is up. Your theme is customized just the way you want it, and all of your content has been uploaded. Now you can sit back and forget about it until the next time you want to change the content, right? Unfortunately, no.

Your WordPress Website is a Car, Not a Poster

Every week I hear from site owners who think of their website as something static, like a poster on the internet. But the internet is a complex and constantly changing environment. WordPress must constantly change with it. Then WordPress themes and plugins have to change to stay compatible with the WordPress core. When authors discontinue updating themes or plugins, they may cease to work, or worse yet, continue to work, but become vulnerable to hacking.

And hacking is not the only risk. All of these different moving parts, created by different people, have to interact with each other. The possible combinations of themes and plugins are endless, so there are bound to be a few incompatibilities, even when everything is up to date. These incompatibilities can cause your site to display or function incorrectly, or even to crash.

The truth is, your WordPress website is more like a car than a poster. It requires ongoing monitoring and maintenance. You may be able to neglect maintenance for awhile, and see no visible repercussions, but just like with your car, this will catch up with you sooner or later. And just like your car, an ounce of prevention can save you a ton of down time, money, stress, and regret.

The biggest potential risk of neglect is hacking. You may think your site’s risk of getting hacked is small, especially if it doesn’t get a lot of traffic. Don’t you believe it. Small, unattended sites are hacker candy (if you want to know why, check out Why Is an Insignificant Site Like Mine Being Attacked? from WordPress security leaders, Wordfence. And they don’t even mention hackers who want to post ads on your site).

Sad, but true, hackers will find your website long before your target audience does. While you’re out looking for your audience, hackers are out looking for you.

Why Hackers Love WordPress

Why do hackers love WordPress? WordPress and its free themes and plugins are “open source.” That means that the programming code is public. Every time an update is released, hackers can compare the new and old code. Once they find a change that was made to correct a security vulnerability, they know how to hack any site that hasn’t updated to the new version yet. Don’t let your site become one of them.

Hackers know that many WordPress sites are built by people who know little or nothing about site security. If your friend or family member built a site for you, that is a labor of love, and I don’t mean to detract from it. But they may not have thought to read up on what the site needed after it was built.

A more common scenario is for build ‘n run developers to set up websites using premium (paid) themes and plugins, without informing you that you will need to purchase licenses to access updates. In fact, to avoid revealing this, they typically don’t mention maintenance at all. As site components become more and more out of date, they become vulnerable to hacking.

Is Being Hacked That Big of a Deal?

People who have been hacked never ask that question! Being hacked is a huge hassle. It can take down your website, but that’s the least of the risks. Hacked sites are frequently used to distribute malware, which can get your domain blacklisted and removed from search engine results. Your clients or customers won’t be happy with you if their own computers get infected from visiting your site. Most importantly for anyone who is using email addresses based on their website domain, it can cause mail servers to block all email coming from or going to those email addresses, bringing your business to a dead stop.

Your WordPress website is made up of thousands of files, and malicious code will quickly spread itself to as many of them as it can. Recovering from a hack can take a lot of time and money. To completely eliminate all compromised files and backdoors, you may have to wipe your hosting account and rebuild your site from the ground up in a clean WordPress installation (assuming you have a complete and recent pre-hack backup), or hire a security specialist with advanced (and expensive) skills.

Prevention is simply less costly, in every sense.

An Ounce of Prevention

The good news is that simple prevention practices go a long way towards reducing your risk of getting hacked.

5 Keys to Prevent Hacking

1. CHOOSE A HARD TO PREDICT USERNAME
2. CREATE A STRONG LOGIN PASSWORD
3. BACK UP REGULARLY
4. UPDATE PROMPTLY
5. USE A SECURITY PLUGIN

Choose a Hard to Predict Username

Your username for logging in to your Dashboard should not be “admin.” It should not be your name, your website’s name, or anything else that appears on your website. It should not be the correct spelling of a word (use creative or phonetic misspellings). It should include numbers as well as letters. WordPress usernames are not case sensitive, and cannot include most special characters, so make the most of length and a unique letter/number combination. You can also use your email address to log in to WordPress, so try to avoid putting that same email address anywhere on your website, or anywhere else that hackers may be able to easily find it in an internet search. If you use a predictable username, even if your password is strong, you have reduced the barrier to accessing your site by 50%. Or to put it another way, you have doubled a hacker’s chance of breaking in. h

Create a Strong Login Password

STRONG PASSWORDS ARE A MUST!

Let me repeat that – strong passwords are not optional. They are the bare minimum of site security if you care about your site at all. Automated hacking tools can analyze likely words and phrases from your website content and zip through multiple login attempts like lightning. Your password should be at least 24 characters long, and should include upper and lower case letters, numbers, and special characters. It should be unique – recycling is an excellent thing, but not for passwords! Use a password generator, and have your browser remember it so you don’t have to enter it every time.

Even better, and essential if you need to access accounts from more than one device, use a password manager. Most password managers use the same encryption as banks to secure all of your passwords behind a single master password known only to you. Password managers work through browser add-ons and phone apps that link to your cloud password vault, so a password you create on any device will be available to all of your devices. Other password manager features:

• One-click fill and submit
• Import login information previously saved in your browser
• Built-in password generator
• Check for duplicate and weak passwords
• Some check for passwords that have been compromised in a breach

(I use RoboForm. Avoid LastPass, which had a major breach in 2022-2023).

Back Up Regularly

Protect your investment in your WordPress website – back it up! Do not rely on your webhost to do this for you – the fine print of all hosting plans will tell you they accept no responsibility for backing up your content. A good host has redundant backup systems, but mistakes can happen (and not all hosts are good). Realistically, a large webhost with thousands of servers containing tens of thousands of sites will never be as invested in your website as you are.

There are numerous backup options. The right one for you will depend on your particular site and needs. Save your backup files in at least two places (three is better) that are in different physical locations that are far enough apart not to both be affected by a local natural disaster. Your backup schedule should take into account how often your site files change. Remember that you are changing your website files when you perform updates to themes, plugins, or WordPress, even if you haven’t added any new content. Back up at least once a month, and keep at minimum your last 4 backups.

Update Promptly

Since hackers can identify vulnerabilities in old versions of themes and plugins from updates, it’s important to install updates as soon as they are released. Updating is easy – just check a box and click a button.

WordPress itself is updated several times a year. Minor updates are usually automatic, but you will need to log in to your Dashboard to install major updates. A security plugin (see next section) can email you alerts when an update becomes available.

Updates can be automated. Plugin auto-updating can be enabled for some or all of your plugins in one action by using the checkboxes on your Installed Plugins page. Auto-updating for themes has to be turned on theme by theme. (Contact me if you’d like help with this).

There is a risk to automating updates. With automatic updating, a problem caused by an update can go unnoticed for weeks or months, during which many other updates may occur, so it can be hard to identify which plugin caused the problem. Updating manually keeps you in touch with your site, and if an update causes a problem, you notice it immediately and know what caused it. However, if you aren’t likely to update promptly, the risk of a problematic update may be outweighed by the security advantage of keeping your site current.

Use a Security Plugin

The first thing I install on a new WordPress website is a security plugin. There are excellent, free security plugins that protect your site in a myriad of ways. For example, they can scan your files regularly to check whether they match the files in the WordPress repository, and email you if there’s a discrepancy. They can alert you to needed updates. They can notify you whenever someone logs in to your Dashboard. They can lock out hackers who try to log in, and show you the usernames they tried.

If you are not very technical, you may occasionally need assistance from someone more experienced with WordPress to decide how to respond to alerts from your security plugin. Don’t let this stop you from installing a plugin, however. It can dramatically improve the safety of your site.

Learn to Maintain Your Website

Following the 5 practices above makes your site much more secure against hacking, and keeps you better prepared to restore your site if anything does happen. Automatic update options for most themes and plugins is now built in to WordPress, or I can set up email notifications to prompt you when updates are available, and teach you how to perform them. I can also set up automated backup jobs, so all you have to do is download the backup files once they are created. Or, we can even set up automatic uploads of your backups to cloud storage.

If you would prefer to turn your site maintenance and monitoring over to someone else, my maintenance plan includes responding to security alerts, performing updates, and downloading copies of your backups.

WordPress.com Maintenance

This article applies primarily to self-hosted WordPress sites. Security and updates are managed for you on WordPress.com sites. You can help out by using good usernames and strong passwords. It is still a good idea to download backups of your content, no matter what platform you use for your website.